Microsoft announces it's first ever bounty programs with up to USD100k in rewards
From the Microsoft BlueHat Blog:
At the heart of our community outreach programs, we’ve always had the same philosophy: help increase the win-win between Microsoft’s customers and the security research community. We have evolved and deepened our relationships with this community since the earliest days of Microsoft’s outreach. In the early 2000’s, Microsoft had to go through what I call “the five stages of vulnerability response grief.” This is a process that all vendors must invariably go through in order to reach the “Acceptance Stage,” which includes working in a collaborative way, with security researchers and good old-fashioned hackers. We may not always have 100% philosophical alignment, but we always want to keep a dialog open with the research community to further the common goal of protecting customers.
This philosophy is reflected in a new strategy designed to increase protections through outreach in the security community. The new programs we are announcing today are critical components in delivering this strategy. Other programs focused on detection and protection will follow soon.
Today’s new programs continue our focus of direct investments in the research community, calling upon the clever hackers of the world to work with us on strengthening our platform-wide defenses.
Our New Bounty Programs
Today is an inflection point for Microsoft, as well as the security industry. For the first time ever, Microsoft is offering direct cash payouts in exchange for reporting certain types of vulnerabilities and exploitation techniques. We are making this shift in order to learn about these issues earlier and to increase the win-win between Microsoft’s customers and the security researcher community.
Full details for the new bounty programs and a fantastic technical deep-dive by our esteemed panel of judges (headed by Matt Miller and David Ross) can be found on SRD's blog.
In short, we are offering cash payouts for the following programs:
- Mitigation Bypass Bounty – Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of one vulnerability at a time. This is an ongoing program and not tied to any event or contest.
- BlueHat Bonus for Defense – Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission. Doing so highlights our continued support of defense and provides a way for the research community to help protect over a billion computer systems worldwide from vulnerabilities that may not have even been discovered.
- IE11 Preview Bug Bounty – Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect IE 11 Preview on Windows 8.1 Preview. The entry period for this program will be the first 30 days of the IE 11 Preview period. Learning about critical vulnerabilities in IE as early as possible during the public preview will help Microsoft deliver the most secure version of IE to our customers.
